Privacy protection should be administered as a concept, as well as an operational reality.
Organisations should consider privacy protection not just in terms of the systems they use to protect data, but also in the way that they manage the individuals who access PII, and how privacy protection is treated alongside other business functions, such as project management.
ISO 27701 6.3 outlines how organisations can managed privacy protection as an end-to-end process, encompassing the above factors.
ISO 27701 6.3 contains three sub-clauses that include privacy protection-specific guidance, adapted from three supporting clauses in ISO 27002:
Additional PIMS-specific guidance relating to the processing of PII can be found in clause 6.3.1.1, which is also linked to articles contained with GDPR legislation.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.
Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.
Areas of responsibility should include:
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 7.3.2).
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
In an organisation with lots of different privacy-related roles, responsibilities and duties can often come into conflict with one another.
Individuals can often carry out roles that have the potential to compromise PII, by virtue of them either being the sole authority, or lacking in management oversight.
Responsibilities should be segregated to ensure a more robust privacy protection operation. Examples of roles that may contain conflicts include:
Segregation controls should be developed with various factors in mind:
ISO acknowledges that smaller organisations may find it difficult to segregate roles, given their limited resources, but the whole concept of segregation should nevertheless be pursued as far as is commercially and operationally possible.
Book a tailored hands-on session
based on your needs and goals
Book your demo
As well as day-to-day recurring revenue generation, privacy protection should also extend to project implementation and management activities.
Projects often include the migration, creation and alteration of vast amounts of PII, and as such, should be given adequate consideration in order for organisations to maintain compliance with localised and national privacy-related laws and regulatory guidelines.
A “project” can be any activity that alters a standard way of working, or introduces new process and/or equipment and applications to an organisation.
Project management activities should ensure that:
Privacy protection efforts should not be limited to ICT projects. Organisations should consider a range of factors when determining specific PII-related requirements, including:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.3.1.1 | Information Security Roles and Responsibilities | 5.2 – Information Security Roles and Responsibilities for ISO 27002 | Articles (27), (37), (38), (39) |
6.3.1.2 | Segregation of Duties | 5.3 – Segregation of Duties for ISO 27002 | None |
6.3.1.5 | Information Security in Project Management | 5.8 – Information Security in Project Management for ISO 27002 | None |
Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard.
Our online system also ensures that system implementers have a single place for reference and collaboration.
Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.
Find out more and get a hands on demonstration by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo